We 64257rst pro pose a clean de64257nition of the goals of private browsing and survey its implementation in different browsers We conduct a measurement study to determine how often it is used and on what categories of sites Our results suggest that ID: 29774
Download Pdf The PPT/PDF document "An Analysis of Private Browsing Modes in..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
determinehowoftenprivatemodeisused.Usingadtargetingbythead-networkwetargetdifferentcat-egoriesofsites,enablingustocorrelatetheuseofprivatebrowsingwiththetypeofsitebeingvisited.Wendittobemorepopularatadultsitesandlesspopularatgiftsites,suggestingthatitsprimarypur-posemaynotbeshoppingforsurprisegifts.WequantifyourndingsinSection4.Tools.Wedescribeanautomatedtechniqueforidentifyingfailuresinprivatebrowsingimplemen-tationsanduseittodiscoverafewweaknessesintheFirefoxbrowser.Browserextensions.Weproposeanimprove-menttoexistingapproachestoextensionsinprivatebrowsingmode,preventingextensionsfromunin-tentionallyleavingtracesoftheprivateactivityondisk.WeimplementourproposalasaFirefoxex-tensionthatimposesthispolicyonotherextensions.Organization.Section2presentsathreatmodelforpri-vatebrowsing.Section3surveysprivatebrowsingmodeinmodernbrowsers.Section4describesourexperimen-talmeasurementofprivatebrowsingusage.Section5describestheweaknesseswefoundinexistingprivatebrowsingimplementations.Section6addressesthechal-lengesintroducedbyextensionsandplug-ins.Section7describesadditionalrelatedwork.Section8concludes.2Privatebrowsing:goalandthreatmodelIndeningthegoalsandthreatmodelforprivatebrows-ing,weconsidertwotypesofattackers:anattackerwhocontrolstheuser'smachine(alocalattacker)andanat-tackerwhocontrolswebsitesthattheuservisits(awebattacker).Wedenesecurityagainsteachattackerinturn.Inwhatfollowswerefertotheuserbrowsingthewebinprivatebrowsingmodeastheuserandrefertosomeonetryingtodetermineinformationabouttheuser'sprivatebrowsingactionsastheattacker.2.1LocalattackerStatedinformally,securityagainstalocalattackermeansthatanattackerwhotakescontrolofthemachineaftertheuserexitsprivatebrowsingcanlearnnothingabouttheuser'sactionswhileinprivatebrowsing.Wedenethismorepreciselybelow.Weemphasizethatthelocalattackerhasnoaccesstotheuser'smachinebeforetheuserexitsprivatebrows-ing.Withoutthislimitation,securityagainstalocalat-tackerisimpossible;anattackerwhohasaccesstotheuser'smachinebeforeorduringaprivatebrowsingses-sioncansimplyinstallakey-loggerandrecordalluseractions.Byrestrictingthelocalattackertoafterthefactforensics,wecanhopetoprovidesecuritybyhav-ingthebrowseradequatelyerasepersistentstatechangesduringaprivatebrowsingsession.Aswewillsee,thisrequirementisfarfromsimple.Foronething,notallstatechangesduringprivatebrows-ingshouldbeerasedattheendofaprivatebrowsingses-sion.Wedrawadistinctionbetweenfourtypesofpersis-tentstatechanges:1.Changesinitiatedbyawebsitewithoutanyuserin-teraction.Afewexamplesinthiscategoryincludesettingacookie,addinganentrytothehistoryle,andaddingdatatothebrowsercache.2.Changesinitiatedbyawebsite,butrequiringuserinteraction.Examplesincludegeneratingaclientcerticateoraddingapasswordtothepassworddatabase.3.Changesinitiatedbytheuser.Forexample,creatingabookmarkordownloadingale.4.Non-user-specicstatechanges,suchasinstallingabrowserpatchorupdatingthephishingblocklist.Allbrowserstrytodeletestatechangesincategory(1)onceaprivatebrowsingsessionisterminated.Failuretodosoistreatedasaprivatebrowsingviolation.However,changesintheotherthreecategoriesareinagrayareaanddifferentbrowserstreatthesechangesdifferentlyandofteninconsistently.Wediscussimplementationsindif-ferentbrowsersinthenextsection.Tokeepourdiscussiongeneralweusethetermpro-tectedactionstorefertostatechangesthatshouldbeerasedwhenleavingprivatebrowsing.Itisuptoeachbrowservendortodenethesetofprotectedactions.Networkaccess.Anothercomplicationindeningpri-vatebrowsingisserversideviolationsofprivacy.Con-siderawebsitethatinadvertentlydisplaystotheworldthelastlogintimeofeveryuserregisteredatthesite.Eveniftheuserconnectstothesitewhileinprivatemode,theuser'sactionsareopenforanyonetosee.Inotherwords,websitescaneasilyviolatethegoalsofpri-vatebrowsing,butthisshouldnotbeconsideredaviola-tionofprivatebrowsinginthebrowser.Sincewearefocusingonbrowser-sidesecurity,oursecuritymodeldenedbelowignoresserversideviolations.Whilebrowservendorsmostlyignoreserversideviolations,onecanenvisionanumberofpotentialsolutions:Muchlikethephishinglter,browserscanconsultablocklistofsitesthatshouldnotbeaccessedwhileinprivatebrowsingmode.Alternatively,sitescanprovideaP3P-likepolicystatementsayingthattheywillnotviolateprivatebrowsing.Whileinprivatemode,thebrowserwillnotconnecttositesthatdonotdisplaythispolicy. Anon-technicalsolutionistopostaprivacysealatwebsiteswhocomplywithprivatebrowsing.Userscanavoidnon-compliantsiteswhenbrowsingpri-vately.Securitymodel.Securityisusuallydenedusingtwoparameters:theattacker'scapabilitiesandtheattacker'sgoals.Alocalprivatebrowsingattackerhasthefollow-ingcapabilities:Theattackerdoesnothinguntiltheuserleavespri-vatebrowsingmodeatwhichpointtheattackergetscompletecontrolofthemachine.Thiscapturesthefactthattheattackerislimitedtoafter-the-factforensics.Inthispaperwefocusonpersistentstateviolations,suchasthosestoredondisk;weignoreprivatestateleftinmemory.Thus,weassumethatbeforetheattackertakesoverthelocalmachineallvolatilememoryiscleared(thoughdataondisk,includingthehibernationle,isfairgame).Ourreasonforig-noringvolatilememoryisthaterasingallofitwhenexitingprivatebrowsingcanbequitedifcultand,indeed,nobrowserdoesit.Weleaveitasfutureworktopreventprivacyviolationsresultingfromvolatilememory.Whileactive,theattackercannotcommunicatewithnetworkelementsthatcontaininformationabouttheuser'sactivitieswhileinprivatemode(e.g.websitestheuservisited,cachingproxies,etc.).Thiscapturesthefactthatwearestudyingtheimplemen-tationofbrowser-sideprivacymodes,notserver-sideprivacy.Giventhesecapabilities,theattacker'sgoalisasfol-lows:forasetSofHTTPrequestsoftheattacker'schoosing,determineifthebrowserissuedanyofthoserequestswhileinprivatebrowsingmode.Moreprecisely,theattackerisaskedtodistinguishaprivatebrowsingsessionwherethebrowsermakesoneoftherequestsinSfromaprivatebrowsingsessionwherethebrowserdoesnot.Ifthelocalattackercannotachievethisgoalthenwesaythatthebrowser'simplementationofprivatebrowsingissecure.Thiswillbeourworkingdenitionthroughoutthepaper.NotethatsinceanHTTPrequestcontainsthenameofthedomainvisitedthisdenitionimpliesthattheattackercannottelliftheuservisitedaparticularsite(toseewhysetStobethesetofallpos-sibleHTTPrequeststothesiteinquestion).Moreover,evenifbysomeauxiliaryinformationtheattackerknowsthattheuservisitedaparticularsite,thedenitionim-pliesthattheattackercannottellwhattheuserdidatthesite.Wedonotformalizepropertiesofprivatebrowsingincasetheuserneverexitsprivatebrowsingmode.Difculties.Browservendorsfaceanumberofchal-lengesinsecuringprivatebrowsingagainstalocalat-tacker.Onesetofproblemsisduetotheunderlyingop-eratingsystem.Wegivetwoexamples:First,whenconnectingtoaremotesitethebrowsermustresolvethesite'sDNSname.OperatingsystemsoftencacheDNSresolutionsinalocalDNScache.AlocalattackercanexaminetheDNScacheandtheTTLvaluestolearnifandwhentheuservisitedaparticularsite.Thus,toproperlyimplementprivatebrowsing,thebrowserwillneedtoensurethatallDNSquerieswhileinprivatemodedonotaffectthesystem'sDNScache:noentriesshouldbeaddedorremoved.Amoreaggres-sivesolution,supportedinWindows2000andlater,istoushtheentireDNSresolvercachewhenexitingprivatebrowsing.Noneofthemainstreambrowserscurrentlyaddressthisissue.Second,theoperatingsystemcanswapmemorypagestotheswappartitionondiskwhichcanleavetracesoftheuser'sactivity.Totestthisoutweperformedthefollow-ingexperimentonUbuntu9.10runningFirefox3.5.9:1.WerebootedthemachinetoclearRAMandsetupandmountedaswaple(zeroedout).2.Next,westartedFirefox,switchedtoprivatebrows-ingmode,browsedsomewebsitesandexitedpri-vatemodebutkeptFirefoxrunning.3.Oncethebrowserwasinpublicmode,weranamemoryleakprogramafewtimestoforcememorypagestobeswappedout.Wethenranstringsontheswapleandsearchedforspecicwordsandcontentofthewebpagesvisitedwhileinprivatemode.TheexperimentshowedthattheswaplecontainedsomeURLsofvisitedwebsites,linksembeddedinthosepagesandsometimeseventhetextfromapageenoughinformationtolearnabouttheuser'sactivityinprivatebrowsing.Thisexperimentshowsthatafullimplementationofprivatebrowsingwillneedtopreventbrowsermemorypagesfrombeingswappedout.Noneofthemainstreambrowserscurrentlydothis.Non-solutions.Atrstglanceitmayseemthatsecu-rityagainstalocalattackercanbeachievedusingvirtualmachinesnapshots.Thebrowserrunsontopofavir-tualmachinemonitor(VMM)thattakesasnapshotofthebrowserstatewheneverthebrowserentersprivatebrows-ingmode.WhentheuserexitsprivatebrowsingtheVMMrestoresthebrowser,andpossiblyotherOSdata,toitsstatepriortoenteringprivatemode.Thisarchitec-tureisunacceptabletobrowservendorsforseveralrea-sons:rst,abrowsersecurityupdateinstalledduringpri-vatebrowsingwillbeundonewhenexitingprivatemode; FF Safari Chrome IE History no yes no no Cookies no yes no no HTML5localstorage no yes no no Bookmarks yes yes yes yes Passworddatabase yes yes yes yes Formautocompletion yes yes yes no UserapprovedSSLself-signedcert yes yes yes yes Downloadeditemslist no yes yes n/a Downloadeditems yes yes yes yes Searchboxsearchterms yes yes yes yes Browser'swebcache no no no no Clientcerts yes yes yes yes Customprotocolhandlers yes n/a n/a n/a Per-sitezoomlevel no n/a yes n/a Table1:Isthestatesetinearlierpublicmode(s)accessibleinprivatemode? FF Safari Chrome IE History no no no no Cookies no no no no HTML5Localstorage no no no no Bookmarks yes yes yes yes Passworddatabase no no no no Formautocompletion no no no no UserapprovedSSLself-signedcert no yes yes yes Downloadeditemslist no no no n/a Downloadeditems yes yes yes yes Searchboxsearchterms no no no no Browser'swebcache no no no no Clientcerts yes n/a n/a yes Customprotocolhandlers yes n/a n/a n/a Per-sitezoomlevel no n/a no n/a Table2:Isthestatesetinearlierprivatemode(s)accessibleinpublicmode? FF Safari Chrome IE History no no no no Cookies yes yes yes yes HTML5Localstorage yes yes yes yes Bookmarks yes yes yes yes Passworddatabase no no no no Formautocompletion no no no no UserapprovedSSLself-signedcert yes yes yes yes Downloadeditemslist yes no no n/a Downloadeditems yes yes yes yes Searchboxsearchterms no no no no Browser'swebcache yes yes yes yes Clientcerts yes n/a n/a yes Customprotocolhandlers yes n/a n/a n/a Per-sitezoomlevel no n/a yes n/a Table3:Isthestatesetinprivatemodeatsomepointaccessiblelaterinthesamesession? Figure2:Observedratesofprivatebrowsingusesurethatallbrowserfeaturesbehavecorrectlyinprivatemode.Weperformedtwosystematicstudies:OurrststudyisbasedonamanualreviewoftheFirefoxsourcecode.WelocatedallpointsinthecodewhereFirefoxwritestopersistentstorageandmanuallyveriedthatthosewritesaredisabledinprivatebrowsingmode.OursecondstudyisanautomatedtoolthatrunstheFirefoxunittestsinprivatebrowsingmodeandlooksforchangesinpersistentstorage.Thistoolcanbeusedasaregressiontesttoensurethatnewbrowserfeaturesareconsistentwithprivatebrows-ing.Wereportourresultsinthenexttwosections.5.1Asystematicstudybymanualcodere-viewFirefoxkeepsallthestaterelatedtotheuser'sbrows-ingactivityincludingpreferences,history,cookies,textenteredinformselds,searchqueries,etc.inaProlefolderondisk[22].Byobservinghowandwhenpersis-tentmodicationstotheselesoccurinprivatemodewecanlearnagreatdealabouthowprivatemodeisimple-mentedinFirefox.InthissectionwedescribetheresultsofourmanualcodereviewofallpointsintheFirefoxcodethatmodifylesintheProlefolder.Ourrststepwastoidentifythoselesintheprolefolderthatcontaininformationaboutaprivatebrowsingsession.Then,welocatedthemodulesintheMozillacodebasethatdirectlyorindirectlymodifytheseles.Finally,wereviewedthesemodulestoseeiftheywritetodiskwhileinprivatemode.OurtaskwasgreatlysimpliedbythefactthatallwritestolesinsidetheProledirectoryaredoneus-ingtwocodeabstractions.TherstisnsIFile,across-platformrepresentationofalocationinthelesys-temusedtoreadorwritetoles[21].Thesec-ondisStorage,aSQLitedatabaseAPIthatcanbeusedbyotherFirefoxcomponentsandextensionstomanipulateSQLitedatabaseles[23].PointsinthecodethatcalltheseabstractionscancheckthecurrentprivatebrowsingstatebycallingorhookingintothensIPrivateBrowsingServiceinterface[24].Usingthismethodwelocated24pointsintheFirefox3.6codebasethatcontrolallwritestosensitivelesintheProlefolder.Mosthadadequatechecksforprivatebrowsingmode,butsomedidnot.Wegiveafewexam-plesofpointsinthecodethatdonotadequatelycheckprivatebrowsingstate.Securitycerticatesettings(storedinlecert8.db):storesallsecuritycerticateset-tingsandanySSLcerticatesthathavebeenimportedintoFirefoxeitherbyanauthorizedwebsiteormanuallybytheuser.ThisincludesSSLclientcerticates.Therearenochecksforprivatemodeinthecode.WeexplainedinSection3.1thatthisisaviolationoftheprivatebrowsingsecuritymodelsincealo-calattackercaneasilydetermineiftheuservisitedasitethatgeneratesaclientkeypairorinstallsaclientcerticateinthebrowser.Wealsonotethatcerti-catescreatedoutsideprivatemodeareusableinpri-vatemode,enablingawebattackertolinktheuserinpublicmodetothesameuserinprivatemode.Site-specicpreferences(storedinlepermissions.sqlite):storesmanyofFirefoxpermissionsthataredecidedonaper-sitebasis.Forexample,itstoreswhichsitesareallowedorblockedfromsettingcookies,installingextensions,showingimages,displayingpopups,etc.Whiletherearechecksforprivatemodeinthecode,notallstatechangesareblocked.Permissionsaddedtoblockcookies,popupsorallowadd-onsinprivatemodearepersistedtodisk.Consequently,ifauservisitssomesitethatattemptstoopenapopup,thepopupblockerinFirefoxblocksitanddisplays amessagewithsomeactionsthatcanbetaken.Inprivatemode,theEditpopupblockerpreferencesoptionisenabledanduserswhoclickonthatoptioncaneasilyaddapermanentexceptionforthesitewithoutrealizingthatitwouldleaveatraceoftheirprivatebrowsingsessionondisk.Whenbrowsingprivatelytoasitethatusespopups,usersmightbetemptedtoaddtheexception,thusleakinginforma-tiontothelocalattacker.Downloadactions(storedinlemimeTypes.rdf):thelestorestheuser'spreferenceswithrespecttowhatFirefoxdoeswhenitcomesacrossknownletypeslikepdforavi.Italsostoresinformationaboutwhichprotocolhan-dlers(desktop-basedorcustomprotocolhandlers)tolaunchwhenitencountersanon-httpprotocollikemailto[26].Therearenochecksforprivatemodeinthecode.Asaresult,awebpagecaninstallacustomproto-colhandlerintothebrowser(withtheuser'spermis-sion)andthisinformationwouldbepersistedtodiskeveninprivatemode.AsexplainedinSection3.1,thisenablesalocalattackertolearnthattheuservisitedthewebsitethatinstalledthecustomproto-colhandlerinprivatemode.5.2Anautomatedprivatebrowsingtestus-ingunittestsAllmajorbrowsershaveacollectionofunittestsfortestingbrowserfeaturesbeforearelease.Weautomatethetestingofprivatebrowsingmodebyleveragingtheseteststotriggermanybrowserfeaturesthatcanpotentiallyviolateprivatebrowsing.WeexplainourapproachasitappliestotheFirefoxbrowser.WeuseMozMill,aFire-foxuser-interfacetestautomationtool[20].Mozillapro-videsabout196MozMilltestsfortheFirefoxbrowser.Ourapproach.WestartbycreatingafreshbrowserproleandsetpreferencestoalwaysstartFirefoxinpri-vatebrowsingmode.NextwecreateabackupcopyoftheprolefolderandstarttheMozMilltests.Weusetwomethodstomonitorwhichlesaremodiedbythebrowserduringthetests:fs usageisaMacOSXutilitythatpresentssys-temcallspertainingtolesystemactivity.Itout-putsthenameofthesystemcallusedtoaccessthelesystemandtheledescriptorbeingactedupon.Webuiltawrapperscriptaroundthistooltomaptheledescriptorstoactualpathnamesusinglsof.Werunourscriptinparallelwiththebrowserandthescriptmonitorsalllesthatthebrowserwritesto.Wealsousethelastmodiedtimeforlesintheproledirectorytoidentitythoselesthatarechangedduringthetest.OncetheMozMilltestcompleteswecomparethemodi-edproleleswiththeirbackupversionsandexaminetheexactchangestoeliminatefalsepositives.Inourex-perimentswetookcaretoexcludeallMozMilltestsliketestPrivateBrowsingthatcanturnoffprivatebrowsingmode.Thisensuredthatthebrowserwasinprivatemodethroughoutthedurationofthetests.WedidtheaboveexperimentonMacOSX10.6.2andWindowsVistarunningFirefox3.6.Sinceweonlycon-siderthestateofbrowserproleandstartwithacleanprole,theresultsshouldnotdependonOSorstateofthemachineatthetimeofrunningthetests.Results.AfterrunningtheMozMilltestswediscoveredseveraladditionalbrowserfeaturesthatleakinformationaboutprivatemode.Wegiveafewexamples.CerticateAuthority(CA)Certicates(storedincert8.db).Wheneverthebrowserreceivesacer-ticatechainfromtheserver,itstoresallthecer-ticateauthoritiesinthechainincert8.db.OurtestsrevealedthatCAcertscachedinprivatemodepersistwhenprivatemodeends.Thisissignicantprivacyviolation.Whenevertheuservisitsasitethatusesanon-standardCA,suchascertaingovern-mentsites,thebrowserwillcachethecorrespondingCAcertandexposethisinformationtothelocalat-tacker.SQLitedatabases.ThetestsshowedthatthelastmodiedtimestampsofmanySQLitedatabasesintheprolefolderareupdatedduringthetest.Butattheendofthetests,theresultingleshaveexactlythesamesizeandtherearenoupdatestoanyofthetables.Nevertheless,thisbehaviorcanexploitedbyalocalattackertodiscoverthatprivatemodewasturnedoninthelastbrowsingsession.Theattackersimplyobservesthatnoentrieswereaddedtothehistorydatabase,buttheSQLitedatabaseswereac-cessed.SearchPlugins(storedinsearch.sqliteandsearch.json).Firefoxsupportsauto-discoveryofsearchplugins[19,25]whichisawayforwebsitestoadvertisetheirFirefoxsearchpluginstotheuser.Thetestsshowedthatasearchpluginaddedinprivatemodepersiststodisk.Consequently,alocalattackerwilldiscoverthattheuservisitedthewebsitethatprovidedthesearchplugin.PluginRegistration(storedinpluginreg.dat).Thisleisgeneratedautomaticallyandrecordsin-formationaboutinstalledpluginslikeFlashand Quicktime.Weobservedchangesinmodicationtime,buttherewereonlycosmeticchangesinthelecontent.However,aswithsearchplugins,newpluginsinstalledinprivatemoderesultinnewin-formationwrittentopluginreg.dat.DiscoveringtheseleaksusingMozMilltestsismucheas-ierthanamanualcodereview.Usingourapproachasaregressiontool.Usingexist-ingunittestsprovidesaquickandeasywaytotestprivatebrowsingbehavior.However,itwouldbebettertoin-cludetestcasesthataredesignedspecicallyforprivatemodeandcoverallbrowsercomponentsthatcouldpo-tentiallywritetodisk.Thesamesuiteoftestcasescouldbeusedtotestallbrowsersandhencewouldbringsomeconsistencyinthebehaviorofvariousbrowsersinprivatemode.Asaproofofconcept,wewrotetwoMozMilltestcasesfortheviolationsdiscoveredinSection5.1:Site-specicPreferences(storedinlepermissions.sqlite):visitsaxedURLthatopenupapopup.Thetesteditspreferencestoallowapopupfromthissite.DownloadActions(mimeTypes.rdf):visitsaxedURLthatinstallsacustomprotocolhandler.Runningthesetestsusingourtestingscriptrevealedwritestobothprolelesinvolved.6BrowseraddonsBrowseraddons(extensionsandplug-ins)poseaprivacyrisktoprivatebrowsingbecausetheycanpersiststatetodiskaboutauser'sbehaviorinprivatemode.Thedevel-opersoftheseaddonsmaynothaveconsideredprivatebrowsingmodewhiledesigningtheirsoftware,andtheirsourcecodeisnotsubjecttothesamerigorousscrutinythatbrowsersaresubjectedto.Eachofthedifferentbrowserswesurveyedhadadifferentapproachtoaddonsinprivatebrowsingmode:InternetExplorerhasacongurableDisableToolbarsandExtensionswhenInPrivateBrowsingModeStartsmenuoption,whichischeckedbyde-fault.Whenchecked,extensions(browserhelperobjects)aredisabled,althoughplugins(ActiveXcontrols)arestillfunctional.FirefoxallowsextensionsandpluginstofunctionnormallyinPrivateBrowsingmode.GoogleChromedisablesmostextensionfunction-alityinIncognitomode.However,plugins(includ-ingpluginsthatarebundledwithextensions)areen-abled.Userscanaddexceptionsonaper-extensionbasisusingtheextensionsmanagementinterface.SafaridoesnothaveasupportedextensionAPI.UsingunsupportedAPIs,itispossibleforexten-sionstoruninprivatebrowsingmode.InSection6.1,wediscussproblemsthatcanoccurinbrowsersthatallowextensionsinprivatebrowsingmode.InSection6.2wediscussapproachestoaddresstheseproblems,andweimplementamitigationinSection6.3.6.1ExtensionsviolatingprivatebrowsingWeconductedasurveyofextensionstondoutiftheyviolatedprivatebrowsingmode.Thissectiondescribesourndings.Firefox.Wesurveyedthetop40mostpopularadd-onslistedathttp://addons.mozilla.org.SomeoftheseextensionslikeCooliriscontainbinarycompo-nents(nativecode).Sincethesebinarycomponentsexe-cutewiththesamepermissionsasthoseoftheuser,theextensionscan,inprinciple,readorwritetoanyleondisk.Thisarbitrarybehaviormakestheextensionsdif-culttoanalyzeforprivatemodeviolations.WeregardallbinaryextensionsasunsafeforprivatebrowsingandfocusourattentiononlyonJavaScript-onlyextensions.ToanalyzethebehaviorofJavaScript-onlyextensions,weobservedallpersistentwritestheycausedwhenthebrowserisrunninginprivatemode.Specically,foreachextension,weinstallthatextensionandremoveallotherextensions.Then,werunthebrowserforsometime,dosomeactivitylikevisitingwebsitesandmodifyingex-tensionoptionssoastoexerciseasmanyfeaturesoftheextensionaspossibleandtrackallwritesthathappendur-ingthisbrowsingsession.Amanualscanofthelesanddatathatwerewrittenthentellsusiftheextensionvio-latedprivatemode.Ifwendanyviolations,theexten-sionisunsafeforprivatebrowsing.Otherwise,itmayormaynotbesafe.Trackingallwritescausedbyextensionsiseasyasal-mostallJavaScript-onlyextensionsrelyoneitherofthefollowingthreeabstractionstopersistdataondisk:nsIFileisacross-platformrepresentationofalocationinthelesystem.Itcanbeusedtocreateorremoveles/directoriesandwritedatawhenusedincombinationwithcompo-nentssuchasnsIFileOutputStreamandnsISafeOutputStream.StorageisaSQLitedatabaseAPI[23]andcanbeusedtocreate,remove,openoraddnewentriestoSQLitedatabasesusingcomponentslikemozIStorageService,mozIStorageStatementandmozIStorageConnection. [14]JonathanR.Mayer.Anyperson...apamphleteer:InternetAnonymityintheAgeofWeb2.0.PhDthe-sis,PrincetonUniversity,2009.[15]KatherineMcKinley.Cleaningupaftercookies,Dec.2008.https://www.isecpartners.com/files/iSEC_Cleaning_Up_After_Cookies.pdf.[16]JorgeMedina.Abusinginsecurefeaturesofinternetexplorer,Febuary2010.http://www.blackhat.com/presentations/bh-dc-10/Medina_Jorge/BlackHat-DC-2010-Medina-Abusing-/insecure-features-of-Internet-/Explorer-wp.pdf.[17]Microsoft.InPrivatebrowsing.http://www.microsoft.com/windows/internet-explorer/features/safer.aspx.[18]LynetteMillett,BatyaFriedman,andEdwardFel-ten.Cookiesandwebbrowserdesign:Towardreal-izinginformedconsentonline.InProce.oftheCHI2001,pages4652,2001.[19]MozillaFirefox-CreatingOpenSearchpluginsforFirefox.https://developer.mozilla.org/en/Creating_OpenSearch_plugins_for_Firefox.[20]MozillaFirefox-MozMill.http://quality.mozilla.org/projects/mozmill.[21]MozillaFirefox-nsIFile.https://developer.mozilla.org/en/nsIFile.[22]MozillaFirefox-Proles.http://support.mozilla.com/en-US/kb/Profiles.[23]MozillaFirefox-Storage.https://developer.mozilla.org/en/Storage.[24]MozillaFirefox-Supportingprivatebrows-ingmode.https://developer.mozilla.org/En/Supporting_private_browsing_mode.[25]OpenSearch.http://www.opensearch.org.[26]Web-basedprotocolhandlers.https://developer.mozilla.org/en/Web-based_protocol_handlers.[27]Theplatformforprivacypreferencesproject(P3P).http://www.w3.org/TR/P3P.[28]MattPerry.RFC:ExtensionsIncognito,Jan-uary2010.http://groups.google.com/group/chromium-dev/browse_thread/thread/5b95695a7fdf6c15/b4052bb405f2820f.[29]MikePerry.Torbutton.http://www.torproject.org/torbutton/design.[30]J.ReagleandL.Cranor.Theplatformforprivacypreferences.CACM,42(2):4855,1999.[31]SashaRomanosky.FoxTor:helpingprotectyouridentitywhilebrowsingonline.cups.cs.cmu.edu/foxtor.[32]F.Saint-Jean,A.Johnson,D.Boneh,andJ.Feigen-baum.Privatewebsearch.InProc.ofthe6thACMWorkshoponPrivacyintheElectronicSoci-ety(WPES),2007.[33]UmeshShankarandChrisKarlof.Doppelganger:Betterbrowserprivacywithoutthebother.InPro-ceedingsofACMCCS'06,pages154167,2006.[34]PaulSyverson,MichaelReed,andDavidGold-schlag.Privatewebbrowsing.JournalofComputerSecurity(JCS),5(3):237248,1997.[35]LewisThompson.Chromeincognitotracksvis-itedsites,2010.www.lewiz.org/2010/05/chrome-incognito-tracks-visited-sites.html.